Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Tipping the Scales: Page 2 of 7

The IDS component is the heart of UnityOne. It groups signatures into attack categories -- absolute, standard and policy -- and assigns attacks a severity level -- from critical to informational -- to apply an action to an attack. Absolute attacks -- those with no possible false positives -- can be identified and blocked. Standard attacks are suspicious but may be caused by normal activity, so packets that trigger this alert can be captured and checked later or passed on accompanied by an alert. Policy attacks -- violations of best practices -- can be assigned a variety of actions. Per-packet processing takes less than 1 ms from NIC to NIC.

Each filter also has configurable actions. Administrators can be e-mailed, paged or sent SMS (Short Message Server) notifications that include a brief description of the event and a URL to the CERT advisory. Unfortunately, the URL is not a live link. Also, I'd appreciate links to the Bugtraq ID and CVE (Common Vulnerabilities and Exposures) entry.

Vendor Information
UnityOne 2000, $99,995.
TippingPoint Technologies, (512) 681-8000.
www.tippingpoint.com


TippingPoint claims each UnityOne 2000 can process up to 2 Gbps. However, when I used Caw Networks' Avalanche to generate HTTP requests and Caw's Reflector to act as a Web farm, my results were far lower because of a beta bug that caused numerous false positives (see sidebar, "Slow Going Because of Beta Bug." TippingPoint has been working to reduce the number of false positives, but I still have two points of contention. First, the tools used to discover what was happening on the NDS are available only through a special shell and not normally available to end users, which means I couldn't even begin to troubleshoot the problem. Second, there is no way to edit the triggers -- I was at the mercy of TippingPoint to resolve and modify the rule base.

Bottom line: When using UnityOne, make every attempt to validate the rule sets to ensure your traffic is not affected. Also, though UnityOne can be helpful, you should use it only as augmentation to a properly configured firewall and server patch-management system.